Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-13801

Embedded DJ Delegated Admin is able to access relationship fields without correct privilege

    Details

    • Target Version/s:

      Description

      In Embedded DJ Delegated Admin is able access relationship field without correct Privilege via vertex query.

      Steps to reproduce:

      1. Create two users (one will be DA) and one Managed Role
      2. Create Internal Role with Privilege to view managed/role fields and assign the role to one user
      3. Run query as DA:
        curl -X GET \
          'http://idm.example.com:8080/openidm/managed/role?_queryFilter=true&_fields=members/*' \
          -H 'X-OpenIDM-Password: Passw0rd' \
          -H 'X-OpenIDM-Username: fuser' 
        

      Expected result: query respond with code 200 and empty 'members' array
      Actual result: query respond with code 200 but there is record in 'members' array like:

      "result": [
              {
                  "_id": "external-role-id",
                  "_rev": "00000000d12c52df",
                  "members": [
                      {
                          "_ref": "managed/user/user1",
                          "_refResourceCollection": "managed/user",
                          "_refResourceId": "user1",
                          "_refProperties": {
                              "_id": "baea499b-2fc6-4113-9dfb-816dc55e8115",
                              "_rev": "000000002ebf95f6"
                          },
                          "_rev": "000000004b2a0ddf",
                          "_id": "user1"
                      }
                  ]
              }
          ]
      

      Tested with the OpenIDM: 7.0.0-SNAPSHOT 160fbf6
      For the version OpenIDM: 7.0.0-M7 75d92a0, query was rejected with 403:Forbidden. (that was expected result at that time)

        Attachments

          Activity

            People

            • Assignee:
              dhogan Dirk Hogan
              Reporter:
              alexander.dracka Alexander Dracka
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: